If the user is in ldap and on the RSA Authentication Manager on an ldap connection, once you move them or remove them from ldap, they become 'unresolvable' in the database and if you run regular cleanup jobs, that job will unassign the token automagically from unresolvable users..

Otherwise...

Auth Manager Bulk Admin on command line of the primary has listing features to look at user data,

but the ldap users still need to be connected to the database and not unresolved for Bulk Admin to do lookups.

List User Info for UserThis command will produce user and assigned token information for one user. Thiscommand duplicates the List User Info by Field command (above) in every respectexcept one. The difference is that this command will supply the information for asingle supplied default login or an associated user if a token serial number is supplied.If both are supplied, the token serial number is ignored.

Delete UserThe specified user will be deleted from the database and any associated Tokensreturned to the unassigned state. The user is also removed from all other associations(Groups etc).

Action

DU

Required Fields

DefLogin or TokSerial

Optional Fields

IdentitySource, SecurityDomain

If Security Domain and Identity Source are not provided, then the user will besearched in the default identity source (Internal DataBase) and security domain(System Domain) created during Authentication Manager installation.

Are you referring to cleaning up unresolvable users on regular basis? Or is there another way to clean up Identity sources?

What brought this on was we had a user get disabled in AD before their token was unassigned. Then we could not unassign that token from the 'unknown' user. I tried a cleanup of unresolvable users, but it didn't make a difference; the token was still "stuck".

With RSA support's help we blocked the problem user ID from the identity source search filter, and then was able to successfully clean up the user.

Would regular cleanups prevent such 'stuck' tokens?

I don't think we have the ability to use the AMBA. Last I checked we were not licensed for it.

make sure when running the one-time cleanup you uncheck the grace period so that objects that have gone missing immediately show up immediately, otherwise you can only see objects that have been stale longer the time period in the default box (7 days)

Yes, scheduled cleanups will prevent 'stuck' tokens and put them back to the assignable pile. The scheduled cleanup should be set with grace period and a limit. For example the default is: don't run if more than 50 objects found, and only clean objects older than 7 days. The reason you want thresholds is if a network error and all users show up as orphans, don't run the job and accidentally unassign everyone's token, for a network problem. The system only knows 'I found a ton of orphaned GUID's' and if the cleanup runs the moment you might have network or a domain controller issue, don't run at all.